torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

actions-runner: add Forgejo runner to nix-cache02 with Vault token

Browse Source 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-03-10 00:41:24 +01:00
parent ff5f166855
commit 117e54a849
5 changed files with 34 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
hosts/nix-cache02/actions-runner.nix Normal file
View File

@@ -0,0 +1,16 @@
{ ... }:
{
# Fetch runner token from Vault
vault.secrets.forgejo-runner-token = {
secretPath = "hosts/nix-cache02/forgejo-runner-token";
extractKey = "token";
mode = "0444";
services = [ "gitea-runner-actions1" ];
};
# Override token source and runner capacity
services.gitea-actions-runner.instances.actions1 = {
tokenFile = "/run/secrets/forgejo-runner-token";
settings.runner.capacity = 4;
};
}

2
hosts/nix-cache02/default.nix
View File

@@ -3,6 +3,8 @@
./configuration.nix ./configuration.nix
./builder.nix ./builder.nix
./scheduler.nix ./scheduler.nix
./actions-runner.nix
../../services/nix-cache ../../services/nix-cache
../../services/actions-runner
]; ];
} }

6
services/actions-runner/default.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
# Trust podman interfaces so containers can reach the runner's cache service. # Trust podman interfaces so containers can reach the runner's cache service.
# "podman+" is a wildcard matching any interface starting with "podman". # "podman+" is a wildcard matching any interface starting with "podman".
@@ -17,7 +17,7 @@
enable = true; enable = true;
name = config.networking.hostName; name = config.networking.hostName;
url = "https://code.t-juice.club"; url = "https://code.t-juice.club";
tokenFile = "/var/lib/forgejo-runner/token"; tokenFile = lib.mkDefault "/var/lib/forgejo-runner/token";
labels = [ labels = [
"nix:docker://code.t-juice.club/torjus/runner-images/nix:latest" "nix:docker://code.t-juice.club/torjus/runner-images/nix:latest"
"node-bookworm:docker://node:lts-bookworm-slim" "node-bookworm:docker://node:lts-bookworm-slim"
@@ -25,7 +25,7 @@
"golang:docker://code.t-juice.club/torjus/runner-images/golang:latest" "golang:docker://code.t-juice.club/torjus/runner-images/golang:latest"
]; ];
settings = { settings = {
runner.capacity = 2; runner.capacity = lib.mkDefault 2;
cache = { cache = {
enabled = true; enabled = true;
dir = "/var/lib/gitea-runner/actions1/cache"; dir = "/var/lib/gitea-runner/actions1/cache";

6
terraform/vault/secrets.tf
View File

@@ -145,6 +145,12 @@ locals {
password_length = 64 password_length = 64
} }
# Forgejo runner token for nix-cache02
"hosts/nix-cache02/forgejo-runner-token" = {
auto_generate = false
data = { token = var.forgejo_runner_token }
}
# Loki push authentication (used by Promtail on all hosts) # Loki push authentication (used by Promtail on all hosts)
"shared/loki/push-auth" = { "shared/loki/push-auth" = {
auto_generate = true auto_generate = true

7
terraform/vault/variables.tf
View File

@@ -109,3 +109,10 @@ variable "sonarr_api_key" {
sensitive = true sensitive = true
} }
variable "forgejo_runner_token" {
description = "Forgejo Actions runner token for nix-cache02"
type = string
default = "PLACEHOLDER"
sensitive = true
}